Enable password encryption and create usernames and passwords

The service password-encryption allows for ahem.. the encryption of every password (enable, username passwords) on the device. Issue it if you haven’t before (you probably have, though). Also create the users who can access your device and with which privileges. In this example the user database is local.

Restricting vty lines to use only ssh (don’t allow telnet)

In configuration mode allow only incoming ssh connections with the command transport input ssh (by default lines don’t allow any connections), and indicate the authentication is taking place against the local database (the users you created before).

If you want to add a bit of extra security, you can create a list of IP addresses which are allowed to connect via ssh to the Cisco device.

The following example creates the standard access list 1 to permit traffic from the subnet 10.10.10.0 with logging enabled. A deny statement is implicit in the ACL so technically the second access-list line is not needed unless you want to log unauthorized connection attempts (Always check who’s trying to connect to your server!).

Block IP addresses after a certain number of failed attempts (optional)

Also, if you want to prevent the casual attacker you can block their IP addresses for a period of time use the command login block-for; this will prevent brute force attacks to the device.

The example below blocks for 1 hour (3600 seconds) an IP address with 5 failed login attempts within 50 seconds. Important: Choose carefully the proper times for your environment. If you select a very low fail-attempt-threshold like 2 failed login attempts within 60 seconds then you might be blocking yourself if you accidentally type a wrong password 2 times in 1 minute.

switch(config)# login block-for 3600 attempts 5 within 50

That’s it. You should be able to connect to your device via your favorite SSH client.